Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible revisions to sshd policy due to component separation #797

Open
0xC0ncord opened this issue Jul 15, 2024 · 2 comments
Open

Possible revisions to sshd policy due to component separation #797

0xC0ncord opened this issue Jul 15, 2024 · 2 comments
Labels
help wanted Extra attention is needed

Comments

@0xC0ncord
Copy link
Contributor

As mentioned in #793, OpenSSH is reworking the sshd binary by splitting some of its functionality into separate components. This started with OpenSSH 9.8 by splitting the SSH protocol and listening functionality into ssh-session and sshd respectively. According to the changelog, there are plans to further separate sshd into separate components.

We should watch these coming changes and consider reworking the policy for sshd to cover these components individually.
@0xC0ncord
Copy link
Contributor Author

Something additional to consider: how should the policy continue to cover ssh daemons which continue to have monolithic behavior (e.g. dropbear or older OpenSSH versions)?

@pebenito
Copy link
Member

pebenito commented Jul 15, 2024
edited
Loading

Something additional to consider: how should the policy continue to cover ssh daemons which continue to have monolithic behavior (e.g. dropbear or older OpenSSH versions)?

Put the permissions that are removed from sshd_t into a conditional sshd_unified.

optional_policy(`sshd_unified',`
  <perms moved to session domain>
',`
  <domtrans to session domain>
')

@pebenito pebenito added the help wanted Extra attention is needed label Jul 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pebenito @0xC0ncord